Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking the Box (Joseph Sheridan)

Chris Cooper
July 11, 2012
Technology
1
260

Hacking the Box (Joseph Sheridan)

Speaker: Joseph Sheridan (http://goo.gl/9cMJ8)
Slides by Chris Cooper and Joseph Sheridan.

Penetration tester and ethical hacker Joseph Sheridan takes you through some of the day-to-day hacks utilised during a security engagement.

Presented at #Digibury 007.
http://deeson-online.co.uk/digibury/007

Chris Cooper

July 11, 2012
Tweet

More Decks by Chris Cooper

See All by Chris Cooper
The Digital Hostage: Ransomware in the Workplace
itscooper
0
99
People Security and Social Engineering
itscooper
0
88
Keeping Your Data Secure: A Guide for Human Beings
itscooper
0
180
E-Safety: How technology can protect us from technology
itscooper
0
290
Social Engineering: How to Rob a Bank with a Phone
itscooper
0
170
The Cookie Monster (and other web security exploits)
itscooper
2
300
Breaking Stuff: What Ethical Hacking Has Taught Me
itscooper
1
140

Other Decks in Technology

See All in Technology
フロントエンドの開発生産性とは
yosuke_furukawa
PRO
15
6.6k
サーバーレスで仮想待合室を作ろう! / Serverless Virtual Waiting Room
_kensh
3
1.1k
LLMアプリケーションの安定性を高めるための精度評価・改善
nrryuya
3
980
Priorityを制するものはローディングを制す
edwardkenfox
4
300
S3から始めるAWS 〜S3の簡単なユースケースの紹介〜
kentosuzuki
1
110
IoTだからこそ、サーバーレスを活用すべき3つの理由
soracom
PRO
2
590
Mutating Meetup with GraphQL
adavis
1
550
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
190
テンションも揚げてこう! Ebitengine開発
lapis2411
0
200
"SMB vs. EP" プロダクト特性の違いから考える「何をつくる?つくらない?」
miyashino
0
360
【2023】SWR vs TanStack Query
ytaisei
1
220
Swift Package Mangerのバグを直した話
k_koheyi
2
150

Featured

See All Featured
Six Lessons from altMBA
skipperchong
17
2.6k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
280
Designing Experiences People Love
moore
133
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
How to train your dragon (web standard)
notwaldorf
70
4.7k
Typedesign – Prime Four
hannesfritz
35
1.8k
In The Pink: A Labor of Love
frogandcode
135
21k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Bash Introduction
62gerente
603
210k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k

Transcript

  1. hacking the

    View Slide

  2. [email protected]
    Joseph Sheridan
    Started Reaction in 2009
    Locally based
    CESG CHECK registered

    View Slide

  3. penetration testing
    aka ethical hacking, pentesting, white hat hacking etc…
    introduction
    What is penetration testing?
    What will be covered today?

    View Slide

  4. penetration testing
    aka ethical hacking, pentesting, white hat hacking etc…
    Services
    • Network infrastructure
    • Web apps
    • Host build reviews
    • Wireless networks
    • Database security

    View Slide

  5. HACKING
    MAINFRAME
    THE
    testing network infrastructure

    View Slide

  6. domain admin in under
    30mins
    guess passwords
    the easy way in?
    < this actually happens
    password policy

    View Slide

  7. the easy way in?
    the awful passwords we find:
    Blank
    • SQL Server
    • Gary McKinnon blank root pentagon
    Password01
    Company name
    Football team
    Swear words
    Their own username

    View Slide

  8. more easiness
    look for unpatched servers
    e.g. how about an internet-facing
    host with no firewall and missing
    critical security patches
    MS04-011
    MS06-040
    MS08-067
    MS09-050
    / LSASS
    / Canonicalisation
    / Netapi
    / Negotiate Function Table

    View Slide

  9. MS09-050
    owned over
    the internet

    View Slide

  10. password cracking
    dictionary attack
    brute-force
    rainbow tables

    View Slide

  11. View Slide

  12. sharing != caring
    when you have found a password
    for… oh, say a local administrator account
    chances of another
    account having the
    same
    password
    = HIGH

    View Slide

  13. HACKING
    INTERNET
    THE
    testing web applications

    View Slide

  14. user enumeration
    knowing a list of users makes
    brute-forcing
    significantly easier

    View Slide

  15. View Slide

  16. stale cookies
    a user’s account is
    session
    only as secure as his
    token

    View Slide

  17. stale cookies
    e.g. once upon a time, we found the following
    session token…
    MDEzODM0MDg4NzM=
    which translates from Base64 to…
    0 1 3 8 3 4 0 8 8 7 3
    always zero random sequential (every login)
    get any active session by enumerating through
    9999 values (approx 10mins in this case)

    View Slide

  18. View Slide

  19. xss
    No results found for
    =$_GET[“search"]?>
    http://mysite.com/?search=

    View Slide

  20. xss
    No results found for
    =$_GET[“search"]?>
    http://mysite.com/?search=
    payload: alert(‘xsstest’)

    View Slide

  21. xss
    No results found for
    =$_GET[“search"]?>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)

    View Slide

  22. xss
    No results found for
    alert(‘xsstest’)<br/>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)

    View Slide

  23. xss
    No results found for
    alert(‘xsstest’)<br/>
    script>alert(‘xsstest’)
    payload: alert(‘xsstest’)
    xsstest
    Alert!

    View Slide

  24. SQLi
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘ ’
    “ . $username . “
    AND pword=‘ “ . $password . “ ’”
    joebloggs *********

    View Slide

  25. SQLi
    joebloggs
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘ ’
    *********
    joebloggs
    AND pword=‘ ‘ OR 1=1# ’”

    View Slide

  26. SQLi
    joebloggs
    Enter your username and password:
    Go!
    $query = “SELECT id FROM users
    WHERE uname=‘joebloggs’
    *********
    AND pword=‘‘ OR 1=1#’”

    View Slide

  27. blind SQLi
    ‘ and if(substring((SELECT pword FROM
    users WHERE uname='admin‘), 1, 1)=‘a’,
    benchmark(500000, MD5(‘!’)),
    0)

    View Slide

  28. blind SQLi

    View Slide

  29. HACKING
    PEOPLE
    social engineering

    View Slide

  30. phishing
    From: Company IT Helpdesk
    To: Fred Jones
    Subject: IT Helpdesk Important Information – Action Required
    Dear Fred,
    We have detected suspicious activity relating to your Company account. As a precaution,
    we require you to verify your details using the password management system. Failure to do
    so may result in revocation of your user rights.
    Please copy and paste the following URL into your browser:
    http://security.company.com/pm/?verify=982364925874578955
    IT Dept. Company
    [email protected]
    This email and any files transmitted with it are confidential and are intended solely for
    the use of the individual to whom they are addressed. If you are not the intended
    recipient please notify the sender. Any unauthorised dissemination or copying of this
    email or its attachments and any use or disclosure of any information contained in them,
    is strictly prohibited.
    Please consider the environment before printing this email.

    View Slide

  31. phishing
    users were directed to a
    mirrored login on our server
    how many fell for it?
    9
    /60

    View Slide

  32. USB drop
    could be preloaded with malware
    or spawn outgoing connections
    leave them lying around / curiosity
    hand them in to receptionist / helpfulness

    View Slide

  33. EXPLOITS:
    researching software vulnerabilities
    THE MAKING OF

    View Slide

  34. buffer overflows
    ScriptFu
    console

    View Slide

  35. View Slide

  36. buffer overflows

    View Slide

  37. overflows
    buffer
    • return address
    • shellcode
    exploit contains:

    View Slide

  38. THE
    [email protected]
    reaction information security, canterbury

    View Slide